Roles / rights for a technical ABAP user to access SAP Tables via code
Hy @all,
does anybody know which roles / rights a technical user must have to acess SAP Tables and read / write from or into it?
Are tey any basic roles?
kind regards
Micha
Please see note [382318|https://service.sap.com/sap/support/notes/382318] for further information.
Additionally, if you would use it nevertheless at your own risk, be careful with granting read permissions to whole tables as you might easily end up there with disclosing confidential or privacy data.
In general, function modules of this type that read arbitrary SAP tables are regarded as a security threat by a responsible administrator and you might not get the permission for it at all.
In my personal opinion, I would classify most software that require the availability of the function module RFC_READ_TABLE to have a major design bug. At least I would not bet on that the developer for this really understood the difference between a database and an ERP system. It is always the recommended way to use specialized function modules for reading data from and even more for storing data into an ERP. Specialized modules normally do not go around fine-grained authorization checks and/or destroy the consistency of the stored data.
Similar Messages
-
PI 7.1. Setup Abap user to access Java tools
Hi gurus!
I need your help, I'm working with a new PI instalation, and we have 2 types of user, one Java user with their password, and other ABAP user with their password. When I try to access to repository or directory, I must to use Java user, but in the other PI system, this is not so, I only use ABAP user for all things.
In this system, I need keep roles in abap stack and java stack, and think this is not optimal.
How I can synchronize the two types of users for only use the ABAP user to all things?
Thank you in advance.How I can synchronize the two types of users for only use the ABAP user to all things?
Simple....assign the *_J2EE roles to your ABAP user....more information on the roles required can be taken from
http://www.erpgenie.com/sap/netweaver/xi/xiauthorizations.htm
We normally create only one user and then assign ABAP and JAVA roles to it. -
Can users who accessed the system via the ITS be identified?
Dear experts,
I wondered if there is any SAP system table which provides the information that a certain logged-in user has connected to the SAP-system via the ITS. I couldn't find anything and I've also been searching the SDN forums for that information in vain.
Thanks in advance for your help
cheers
Andreas
P.S.: In case this should be of any interest in order to answer the question:
R/3 4.7 Enterprise / SAP_BASIS Release 620 Patchlevel 0063Hi Andreas,
Cristiano is right here. The Access.log will show you the required information in an ITS 6.20 environment
See the help.sap.com section: [Access Logs |http://help.sap.com/saphelp_webas630/helpdata/eN/32/1166d6f97811d1801d00c04fadbf76/frameset.htm]
Regards,
Oisin -
How can I restrict more then one user to access the table?
Hi !
I have a problem and two solutions and I am a bit confused as to
which one is the best one and/or can there be any better way of
handling the problem ?
Problem : I have to update a key field of a table when I update
it in the form 5.0 screen. I am basically doing a maintenance of
a table and if a certain field is updated then the change has to
be reflected in two more tables. But the issue is that the field
is a part of the key in those two tables. So all I can think of
is that I need to insert new set or rows for that new value of
the field and delete the old set of records for old values of
the field.
There are two ways of doing it;
1.One option can be to explicitely define two cursors separately
and fetch the values in them one by one and then insert the new
records and then delete the old records in both the tables. This
I feel will be a cumbersome process both in terms of processing
time and the coding.
2.Second option I was thinking can be to create two flat tables
(without keys) and insert the values in them and update the
changed field there and then insert the rows in the respective
tables. Delete the old records in the main tables and delets the
records in these flat tables. This is a bit more faster and
easier to predict and code. This seems to be a better option for
me.
Any comments on these ?
In both the cases I was thinking of making some provision so
that more then one person can't update the table simultaneously.
Since if there are more then one persons doing the processing
then some inconsistency might creep into the whole process.
This is easier to do in the second process as if I check the
data in the flat tables and if there is some data then I can
presume that some one is doing the processing and I can ask the
other person to hold for a while. But in this case how can I
stop more then two people to simultaneously check for the empty
table and start inserting the record ?
I was just thinking of having a sepatare table having only one
field and this will be a key field and as the process begins the
process will insert a fix value say 'Y' in the key field and at
the end of the process the record will be deleted and this way
we can restrict the user to access the process more then one at
a time..? Since you can't have same value of the key in a table
more then once.
Any better way of handling it will be deeply appreciated.
How about locking the table at the begining and releasing the
lock at the end ? Will there be any issue in that? since I am
inserting and deleting the rows in the same transaction.
Comments welcome,
Shobhit
nullHow about performing the update IN the database using a stored
procedure?
By using non-database fields on your form to get the
information, you can then call the procedure in the database to
perform the updates. If an error occurs in the procedure you
rollback, if necessary, and send a message or status back to the
form. If it succeeds you might wish to commit and then re-
execute the form's query -- using either the original key values
or the new key values...
null -
Admin and user rights for change active airport
Hello alltogether,
my son has a new MacBook (System 10.5) for his school and he learn with the computer in all school-subjects. So I create two users, admin and one for him. After he has install all applications that he need for school, I gave the admin a password. Now my son can't install applications or change system settings. But i must give him admin rights, because when he stay at school, he must change the airport environment for school and if he stay at home he must change it back to home. Is it not possible to set the rights for a not admin user so, that he can change the airport environment?
Thanks for reading.
Regards,
TommyIf he needs admin status to use the wireless connection, then you need to make him an admin user. As far as I know, there is no partial admin configuration.
-
Roles required for accessing BBPGETVD Transaction
Hi
Can any one help me what are the required roles to be assigned to a user to access the tcode BBPGETVD.
I mean I wanted access the BBPGETVD transaction . what are the roles that i need to assign myself so that i can use that tcode.
Regards
Sairam
Edited by: Sai Ram on Jun 18, 2008 1:13 PMHi Sai,
As far as I have seen more than the transactions, the jobs associated with the transactions are used.
Also, the replication is done by the administrator of the system, which means either SAP_ALL or SAP_EC_BBP_ADMINISTRATOR.
I suggest you to run the associated jobs for the 2 transactions BBPGETVD and BBPUPDVD . Following are the jobs associated
BBPGETVD BBP_VENDOR_GET_DATA_JOB
BBPUPDVD BBP_VENDOR_UPDATE_DATA_JOB
thanks,
Ashwin
Do reward points for useful suggestions -
Public Folder not accessible from outlook for a number of users(Impacted users Expanding)
Hi ,
We have a Exchange 2013 Server with both Mailbox and Cas Roles in it. We are currently migrating the mailboxes to a new server as the old one had some OS issue.
We use a number of Public folder, since the past two days, a number of users are not able to access public folders from outlook 2013( able to access through OWA) The issue is expanding to other users now. Please let me know some options to arrest this and
resolve the same.
When I try to check for any issues from ECP. I go to the public folder and click manage, I get the 505 error. Pls help
Thanks,
VivekHi,
Based on the description, you moved public folder mailboxes and user mailboxes to another server. After that, some users couldn't access public folders in Outlook. You can use the Get-PublicFolderStatistics cmdlet to retrieve statistical information about
public folders.
And please check if there is any error message when these affected users access public folders in their Outlook.
Since users can access public folders via OWA, I recommend you test Outlook connectivity using Test Email AutoConfiguration tool.
In order to troubleshoot this issue more efficiently, I suggest you post the error message that you encountered in ECP for further research.
Best regards,
Belinda
Belinda Ma
TechNet Community Support -
Want documents for Web Dynpro ABAP
Hi All ,
Can anyone please send me the Docs or link for Web Dynpro ABAP .
Thanks in advance
RahulHi Rahul,
Welcome to the interesting world of Web Dynpro ABAP !
For Web dynpro ABAP you will require SAP ECC 6.0 onwards and WAS 7.0
is a must. It has very good future propspects as this is best UI technology.
In web dynpro ABAP we follow MVC(Model View Controller) architecture.
In this object oriented ABAP is used to provide background functionality. Here, your ABAP skills can be utilized to the fullest. Programming in web dynpro ABAP is different than conventional ABAP programming. Here we strictly follow MVC architecture in terms of controller interface. Also there are many wizards available so that we can directly pick the code from wizards.
e.g We can call BAPI through a service call in web dynpro application. Thus automatically backgroud code for BAPI execution will be generated.
To start with Web dynpro ABAP you can try following tutorial:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a282c952-0801-0010-1eb5-87953e036712
You can start with tutorials and all. There are around six tutorials in SDN library.
Web Dynpro for ABAP
http://help.sap.com/saphelp_erp2005/helpdata/en/a5/1a1e3e7181b60ae10000000a114084/frameset.htm
best tutorials in wbdynpro for ABAP to start with :
https://www.sdn.sap.com/irj/sdn/developerareas/webdynpro?rid=/webcontent/uuid/fed073e5-0901-0010-4eb4-c9882aac7b11 [original link is broken]
Have a look at the following SDN WDA Wiki . There you can find all relevant information.
https://wiki.sdn.sap.com/wiki/display/WDABAP/Main
First of all start doing SAP SDN tutorials .
Create some compenents with BAPI , Component usage and ALV .
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/02e1fa45-0801-0010-10a0-f1cf47e8c943
/people/marilyn.pratt/blog/2005/12/20/web-dynpro-for-abap
Try to Download demo tutorials from SDN library & Try to search WebDynpro ABAP WebLogs .
Wait not just that SAP has provided you with ample demo example of WD ABAP already bundled with SAP . Just Try out Components starting with WDR . I can tell you few like WDR_TEST_EVENTS ( It shows how every UI elments to use )
See packages like SWDP_DEMO , SALV_WD_DEMO
there are many more .
/people/marilyn.pratt/blog/2005/12/20/web-dynpro-for-abap
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a282c952-0801-0010-1eb5-87953e036712
The specified item was not found.
Also you can search weblogs on web dynpro ABAP.
Hope this will help you.
Cheers,
Darshna. -
Certification - Web AS for Oracle (Technical)
Hi,
I want to prepare for this technical certification and according to SAP's website, the courses I need for this preparation are TADM10, TADM12,TADM51.
But these TADM courses are itself collection of different SAP courses. SAP doesnt give details on what courses make up these courses.
Can anyone provide a list of courses that make up TADM10, TADM12 and TADM51 respectively.
Thanks
CyrusI am not sure if I understand your question. But the following URL gives you a picture of courses you are talking about and its equivalent individual courses. Example you can take just TADM10 course instead of SAPTEC, ADM100 and ADM200.
http://www50.sap.com/useducation/curriculum/curriculum.asp?rid=292&TID=
Also please post any certification related questions in its own forum.
null -
Help needed restricting users admin access to devices using ACS 4.2
I have users that access the network via a VPN client to a PIX 515 which authenticates to the ACS (using the default group for unknown users) which uses an external Active Directory Database.
The problem I have is that as the ACS authenticates these users, it now allows them admin access to the PIX. How do I restrict access? I have looked at NARs using the 'All AAA clients, *, *' approach but that just stops their VPN access. ( I have a separate group called 'PIX ACCESS' which will contained only defined users for admin access).
Incidentally I have other devices on the network which are AAA clients, in particular Nortel switches. I can set the group settings for that RADIUS set up to 'Authenticate Only' (RADIUS Nortel option) and that works fine, I was expecting the ACS to have a similar setting for TACACS+.
So how do I allow the unknown users to authenticate to their AD database but restrict them admin access to the AAA clients?Very common problem. I've solved it twice over the last 6 years with ACS. I'm sketchy on the details. But here goes. First option to explore is using RADIUS for VPN access, then TACACS on all the Cisco switches and PIX firewall. That would make it alot easier. I think that with TACACS, you can build a NAR based on TCP port number instead of IP address....
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
So you'd have a group with 3-4 Administrators that can access PIX CLI, and another group of VPN users that can't access the PIX but can VPN in. So on the VPN group, put a NAR that restricts access to SSH/Telnet TCP ports?
This comes up everytime I install an ACS server, (every 2-3 years), and it's always a trick.
Please let me know if this works for you. And if it doesn't, let us know how you fixed it. I think I can get back into the ACS I last did this with and take a look, but I'd have to call up and make a special trip. -
Getting list of tables the user has access to across different schemas.
Hi,
I have to get the list of tables that an User has access to. I tried the below code. It takes a very long time. Is there any way in which I can specify the user name and get all the tables that he has access to? I know that we can use dbMetadata.getTables api. But this returns the list of tables under the said schema. But I want the list of tables that the user has access including tables in other schema.
In the below code, I am trying to get the tables for which USER_MICHAEL has access to.
DatabaseMetaData dbMetadata = connection.getMetaData(); String userName = null; dbrs = dbMetadata.getTables(null,userName , "%", new String[] { "TABLE" }); dbrs=dbMetadata.getTablePrivileges("",userName,"%"); while (dbrs.next()) { String tableName = dbrs.getString("TABLE_NAME"); String schema = dbrs.getString("TABLE_SCHEM"); String privilege = dbrs.getString("PRIVILEGE"); String grantee = dbrs.getString("GRANTEE"); if(grantee!=null && grantee.equals("USER_MICHAEL")){ System.out.println("Schema---"+schema+" Table---"+tableName+" Privilege----"+privilege+" grantee---- "+grantee); } }That would be database dependent.
Some engines have some system tables that together may be used to extract such information, others may not make it available at all outside closed APIs. -
Log to check as to which user has accessed which report?
Hi,
I am using BOBJ for report creation and SAP BI for datawarehousing.
The user can access these reports using the iviews created in the portal. Due to some performance testing requirements we need to check which user accessed which report and if he has drilled down to a particular level in a report, then there should be a means to know that as well.
BO offers a few standard activity reports to check which user has done which activity. However the details of drill down etc. cannot be checked using that. Please help as to how can we check that too.
Best Regards,
NehaHi,
See [Business Objects|/community [original link is broken]; and [Crystal Reports|/community [original link is broken]; forums for this topic.
-Paul -
Access Enterprise Search via ABAP Web Service
Hello ES experts,
I am looking for more information on how to access Enterprise Search via ABAP web service QSDispatcher, using processQuery operation. I created a client proxy and need information on structure of input and output parameters (query and query result)
Thanks, SrdjanHi Srdjan
You can access the SAP ABAP system by configuring it in the NW ES admin console, any system with version > 4.6C can be integrated in the search engine.
The UI for NW ES is a WebDynpro via Web Browser (In the future will be integrated in Widgets and Portal, etc) but i'm not sure if you want to use the WS to access the results of the ES searching or if you want to integrate a WS from ABAP as part of the searching area...
Please clarify.
Thanks,
Best Regards,
Luis -
VAT code mandatary status fileld for Account; from the sap tables
Hi All,
I need a big favour from you all on this FI requirement
As you all know in SAP FI transactions (FB01), we enter account and some of them need VAT code as mandatory enrty;
I need to write a sql to check whether VAT code is mandatary for account or not from the config sap tables;
Can I know the table name and the filed names related to this
Many Thanks
IverHI,
No specific table tells you whether particular account requires VAT code or not.
This is based on the GL account tax details maintained. In the FS00 - GL> in "Control tab" based on the tax category it will ask the VAT code.
Without maintaing the details as said above , you can't use the tax code while doing FB01.
VVR -
User rights for technical User for Web Service Communication
Hello all,
we have a scenario where a web service is called, which is exposed by XI. The XI asks for a technical user, when the service is called from an external application. How can we create a user, which is only able to be used in certain scenarios, so that it's not possible, that everybody who has the user can invoke all scenarios.
Best regards,
DavidHi David,
If I am not wrong, you are using Soap Adapter in XI for receiving webservice calls from 3rd Party Application.
Configure a user with no - roles and authorisation profiles in XI server first.
Then, this users need to be set up in Visual Administrator in XI server.
Ask your Basis to Follow the steps below:
1.Login to XI Visual Administrator.
2.Click on Services -->Security Provider --> Runtime --> Policy Configurations -->
Then select below under Components:
Sap.com/com.sap.aii.af.soapadapter*XISOAPADAPTER --> then click on Security Roles -->
Select: xi_adapter_soap_message --> Modify and add your configured User here in Users tab.
Note: This will authorise your user without any roles.
In this way you can give above username and password to 3rd Party Application to configure at their end.
Since user don't have any access, nobody can misuse it and can only be used for webservice calls at XI server.
Implement this and if solve your problem , provide full points.
Thanks ,
Anurag
Maybe you are looking for
-
Sdo_geom.relate operator (urgently)
i have got two roads features one from large scale second from small scale my task is to extract features of common means intersection i have drawn a buffer around the small scale feature which has two records NO UFI 1 BB06104925 2 BB06104928 other o
-
FB4 Beta2 does not include swz files
When compiling a release Build, FB4 does not include the smaller swz files but bigger swf files (e. g. framework_4.0.0.10945.swf) instead. The swz files where included only a few time at the beginning of the project. I need to finish this project wit
-
Why can't i save the same bookmarks in different locations?
Why can't I save a bookmark for a particular site in multiple locations? If I already have it saved, for instance, in the bookmarks menu, and I then try to save an additional copy into the bookmarks folder, the copy in the bookmarks menu will disappe
-
Image to text convertor app for MacBook Air
hi any one can help me regarding "image to text convertor app for MacBook Air". Actually I want to make soft text document of some my collected material which contains text information. Is any software/app is availeble to convert image to text? pleas
-
I have changed all of my billing info to the correct info. Why am I still getting an error message that says invalid security code? I have an IPod.